Getting not authorized for query on testdb.system.indexes src/mongo/db/commands/find_cmd.cpp 170 in mongo 4.2

Question

I have recently upgraded to mongo 4.2.0 from 4.0.2. On previous version user was able to access system.indexes but after upgrade, user is not able to access system.indexes collection. User already has readWrite role. Also, I tried giving dbAdmin but still no luck.

After enabling debug logs for mongo, it is showing me not authorized for query on testdb.system.indexes src/mongo/db/commands/find_cmd.cpp 170.

Anybody faced this issue?

Below is the output of

{
    "role" : "read",
    "db" : "testdb",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ],
    "privileges" : [
        {
            "resource" : {
                "db" : "testdb",
                "collection" : ""
            },
            "actions" : [
                "changeStream",
                "collStats",
                "dbHash",
                "dbStats",
                "find",
                "killCursors",
                "listCollections",
                "listIndexes",
                "planCacheRead"
            ]
        },
        {
            "resource" : {
                "db" : "testdb",
                "collection" : "system.js"
            },
            "actions" : [
                "changeStream",
                "collStats",
                "dbHash",
                "dbStats",
                "find",
                "killCursors",
                "listCollections",
                "listIndexes",
                "planCacheRead"
            ]
        }
    ],
    "inheritedPrivileges" : [
        {
            "resource" : {
                "db" : "testdb",
                "collection" : ""
            },
            "actions" : [
                "changeStream",
                "collStats",
                "dbHash",
                "dbStats",
                "find",
                "killCursors",
                "listCollections",
                "listIndexes",
                "planCacheRead"
            ]
        },
        {
            "resource" : {
                "db" : "testdb",
                "collection" : "system.js"
            },
            "actions" : [
                "changeStream",
                "collStats",
                "dbHash",
                "dbStats",
                "find",
                "killCursors",
                "listCollections",
                "listIndexes",
                "planCacheRead"
            ]
        }
    ]
}

Answer 1

I am able to fix this issue by creating a new role for system.indexes collection and attach this role to user.

db.createRole({role : "readWriteSystem", privileges: [{resource: { db: "testdb", collection: "system.indexes" }, actions: [ "changeStream", "collStats", "convertToCapped", "createCollection", "createIndex", "dbHash", "dbStats", "dropCollection", "dropIndex", "emptycapped", "find", "insert", "killCursors", "listCollections", "listIndexes", "planCacheRead", "remove", "renameCollectionSameDB", "update" ]}], roles:[]})
db.grantRolesToUser('testuser', ['readWriteSystem'])

Strange thing is, this issue happens when you upgrade mongo by replacing binaries.

I tried to have a fresh instance with 4.2 mongo installed and then replicating data to it, it worked fine. But I cannot do this on production due to some technical reasons.

---

Dear Mongo team,

I tried to upgrade mongo using https://docs.mongodb.com/manual/tutorial/upgrade-revision/#upgrade-replace-binaries, but got above issue. I think doc is missing few details related to system.indexes access related change

Answer 2

Version 0.9 of Mongobee is an older version on MongoTemplate witch has been discontinued from Mongo 4.2.

Extend the Mongobee class and update the MongoTemplate object to a newer MongoTemplate constructor(MethodName -> "executeChangeSetMethod"). This resolved the problem for me without any changes in roles.

Answer 3

Looks like "system.indexes" is deprecated starting from mongo:4.2 documentation

We should use command "list Indexes" instead. But as of mongobee implementation we have

public Document findRequiredChangeAndAuthorIndex(MongoDatabase db) {
MongoCollection<Document> indexes = db.getCollection("system.indexes");
Document index = indexes.find(new Document()
    .append("ns", db.getName() + "." + changelogCollectionName)
    .append("key", new Document().append(ChangeEntry.KEY_CHANGEID, 1).append(ChangeEntry.KEY_AUTHOR, 1))
).first();

return index;

in the ChangeEntryIndexDao.class

So we can extend MongoBee and use some reflection to set extended ChangeEntryIndexDao with method overrided this way:

final ListIndexesIterable<Document> indexes = db.getCollection(changelogCollectionName).listIndexes();
            Document resultIndex = null;
            for (Document index : indexes) {
                final Document indexKey = index.get("key", Document.class);
                if (indexKey.containsKey(ChangeEntry.KEY_CHANGEID) && indexKey.getInteger(ChangeEntry.KEY_CHANGEID) == 1 &&
                        indexKey.containsKey(ChangeEntry.KEY_AUTHOR) && indexKey.getInteger(ChangeEntry.KEY_AUTHOR) == 1) {
                    resultIndex = index;
                    break;
                }
            }

            return resultIndex;